rules/windows/sysmon/sysmon_renamed_powershell.yml

title: Renamed PowerShell
id: d178a2d7-129a-4ba4-8ee6-d6e1fecd5d20
status: experimental
description: Detects the execution of a renamed PowerShell often used by attackers or malware
references:
    - https://twitter.com/christophetd/status/1164506034720952320
author: Florian Roth
date: 2019/08/22
tags:
    - car.2013-05-009
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        Description: 'Windows PowerShell'
        Company: 'Microsoft Corporation'
    filter:
        Image: 
            - '*\powershell.exe'
            - '*\powershell_ise.exe'
    condition: selection and not filter
falsepositives:
    - Unknown
level: critical
rule: renamed powershell 2019-08-22 14:22:36 +02:00			`title: Renamed PowerShell`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`id: d178a2d7-129a-4ba4-8ee6-d6e1fecd5d20`
rule: renamed powershell 2019-08-22 14:22:36 +02:00			`status: experimental`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`description: Detects the execution of a renamed PowerShell often used by attackers or malware`
rule: renamed powershell 2019-08-22 14:22:36 +02:00			`references:`
			`- https://twitter.com/christophetd/status/1164506034720952320`
			`author: Florian Roth`
			`date: 2019/08/22`
			`tags:`
			`- car.2013-05-009`
			`logsource:`
			`product: windows`
			`service: sysmon`
			`detection:`
			`selection:`
			`Description: 'Windows PowerShell'`
			`Company: 'Microsoft Corporation'`
			`filter:`
fix: renamed powershell rule 2019-09-06 17:33:56 +02:00			`Image:`
			`- '*\powershell.exe'`
			`- '*\powershell_ise.exe'`
rule: renamed powershell 2019-08-22 14:22:36 +02:00			`condition: selection and not filter`
			`falsepositives:`
			`- Unknown`
			`level: critical`